!26 Fix CVE-2022-45442

From: @starlet-dx 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

Fix-broken-spec.patch

@@ -0,0 +1,29 @@
+From 5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd Mon Sep 17 00:00:00 2001
+From: Jordan Owens <jkowens@gmail.com>
+Date: Sun, 22 Jan 2023 19:28:40 -0500
+Subject: [PATCH] Fix broken spec
+
+HTTP ranges with non decimal characters is treated as range 0..0 as of Rack 2.2.6.2.
+
+Origin:
+https://github.com/sinatra/sinatra/commit/5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd
+---
+ test/static_test.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/static_test.rb b/test/static_test.rb
+index d0cbbb0..5e3c34d 100644
+--- a/test/static_test.rb
++++ b/test/static_test.rb
+@@ -153,7 +153,7 @@ class StaticTest < Minitest::Test
+ 
+   it 'correctly ignores syntactically invalid range requests' do
+     # ...and also ignores multi-range requests, which aren't supported yet
+-    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=-", "bytes=1-2,3-4"].each do |http_range|
++    ["bytes=45-40", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range|
+       request = Rack::MockRequest.new(@app)
+       response = request.get("/#{File.basename(__FILE__)}", 'HTTP_RANGE' => http_range)
+ 
+-- 
+2.27.0
+

Fix-failing-tests.patch

@@ -1,25 +0,0 @@
-From 750aa3b0de06dad41539bdb402123b5416a3475d Mon Sep 17 00:00:00 2001
-From: Jordan Owens <jkowens@gmail.com>
-Date: Tue, 10 Mar 2020 10:24:05 -0400
-Subject: [PATCH] Fix failing tests
-
-Rack added support for Multi-part ranges and apparently changed the
-format of cookie expires timestamp format to match specs.
----
- test/static_test.rb |  3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/test/static_test.rb b/test/static_test.rb
-index e8408b14e..1c6cb35e9 100644
---- a/test/static_test.rb
-+++ b/test/static_test.rb
-@@ -152,8 +152,7 @@ def assert_valid_range(http_range, range, path, file)
-   end
- 
-   it 'correctly ignores syntactically invalid range requests' do
--    # ...and also ignores multi-range requests, which aren't supported yet
--    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=-", "bytes=1-2,3-4"].each do |http_range|
-+    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range|
-       request = Rack::MockRequest.new(@app)
-       response = request.get("/#{File.basename(__FILE__)}", 'HTTP_RANGE' => http_range)
- 

backport-CVE-2022-45442-test.patch

@@ -0,0 +1,40 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ test/helpers_test.rb | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/helpers_test.rb b/test/helpers_test.rb
+index 52d5fbc..217c9fc 100644
+--- a/test/helpers_test.rb
++++ b/test/helpers_test.rb
+@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
+       assert_equal '<sinatra></sinatra>', body
+     end
+ 
++    it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
++      mock_app do
++        get('/attachment') do
++          attachment "test.xml\";\r\next=.txt"
++          response.write("<sinatra></sinatra>")
++        end
++      end
++
++      get '/attachment'
++      assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
++      assert_equal '<sinatra></sinatra>', body
++    end
+   end
+ 
+   describe 'send_file' do
+-- 
+2.47.0
+

backport-CVE-2022-45442.patch

@@ -0,0 +1,51 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ lib/sinatra/base.rb | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index 727078d..ccd5c85 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -357,16 +357,23 @@ module Sinatra
+       response['Content-Type'] = mime_type
+     end
+ 
++    # https://html.spec.whatwg.org/#multipart-form-data
++    MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
++      '"'  => '%22',
++      "\r" => '%0D',
++      "\n" => '%0A'
++    }.freeze
++
+     # Set the Content-Disposition to "attachment" with the specified filename,
+     # instructing the user agents to prompt to save.
+     def attachment(filename = nil, disposition = :attachment)
+       response['Content-Disposition'] = disposition.to_s
+-      if filename
+-        params = '; filename="%s"' % File.basename(filename)
+-        response['Content-Disposition'] << params
+-        ext = File.extname(filename)
+-        content_type(ext) unless response['Content-Type'] or ext.empty?
+-      end
++      return unless filename
++
++      params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
++      response['Content-Disposition'] << params
++      ext = File.extname(filename)
++      content_type(ext) unless response['Content-Type'] || ext.empty?
+     end
+ 
+     # Use the contents of the file at +path+ as the response body.
+-- 
+2.47.0
+

rubygem-sinatra.spec

@@ -3,12 +3,17 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.3
-Release:             2
+Release:             3
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/sinatra-%{version}.gem
 Source1:             https://github.com/sinatra/sinatra/archive/v%{version}.tar.gz
-Patch0:              Fix-failing-tests.patch
+Patch0:              Fix-broken-spec.patch
+
+# Security fix
+Patch3000:           backport-CVE-2022-45442.patch
+Patch3001:           backport-CVE-2022-45442-test.patch
+
 BuildRequires:       rubygems-devel
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt)
@@ -29,12 +34,13 @@ Obsoletes:           %{name}-doc < %{version}-%{release}
 This package contains documentation for %{name}.
 
 %prep
-gem unpack %{SOURCE0}
+%setup -q -n %{gem_name}-%{version} -b 1
-%setup -q -D -T -n  %{gem_name}-%{version}
+%patch0 -p1
-gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
+%patch3000 -p1
+%patch3001 -p1
 
 %build
-gem build %{gem_name}.gemspec
+gem build ../%{gem_name}-%{version}.gemspec
 %gem_install
 
 %install
@@ -46,9 +52,7 @@ sed -i -e 's|^#!/usr/bin/env ruby|#!/usr/bin/ruby|' \
 %check
 %if ! 0%{?bootstrap}
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1}
+ln -s %{_builddir}/%{gem_name}-%{version}/test test
-cd %{gem_name}-%{version}
-cat %{PATCH0} | patch -p1
 for FILE in $(grep -rl '^require.*bundler.*' test/); do
   sed -i "/^require 'bundler.*'/ s/^/#/" ${FILE}
 done
@@ -80,6 +84,9 @@ popd
 %{gem_instdir}/examples
 
 %changelog
+* Wed Nov 20 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.3-3
+- Fix CVE-2022-45442
+
 * Fri Dec 03 2021 xu_ping <xuping33@huawei.com> - 2.0.3-2
 - Fix tests failed